Abstract

Structure-preserving signatures (SPS) are signature schemes where messages, signatures and public keys all consist of elements of a group over which a bilinear map is efficiently computable. This property makes them useful in cryptographic protocols as they nicely compose with other algebraic tools (like the celebrated Groth–Sahai proof systems). In this paper, we consider SPS systems with homomorphic properties and suggest applications that have not been provided before (in particular, not by employing ordinary SPS). We build linearly homomorphic structure-preserving signatures under simple assumptions and show that the primitive makes it possible to verify the calculations performed by a server on outsourced encrypted data (i.e., combining secure computation and authenticated computation to allow reliable and secure cloud storage and computation, while freeing the client from retaining cleartext storage). Then, we give a generic construction of non-malleable (and actually simulation-sound) commitment from any linearly homomorphic SPS. This notably provides the first constant-size non-malleable commitment to group elements.

Since \(\mathcal {A}\) is a Type II forger, it is expected to produce a forgery \((\tau ^\star ,\vec {M}^\star ,\sigma ^\star )\) for a tag \(\tau ^\star \) that was used by \(\mathcal {B}\) in some signing query but for which \(\vec {M}^\star \not \in \mathrm {span}(\vec {M}_1,\ldots ,\vec {M}_{n-1})\), where \(\vec {M}_1,\ldots ,\vec {M}_{n-1}\) are the vectors of \(\mathbb {G}^n\) that were associated with \(\tau ^\star \). We denote by \(\tau _1,\ldots ,\tau _q\) the distinct adversarially-chosen tags involved in \(\mathcal {A}\)’s queries during the game. Note that, since \(\mathcal {A}\) is a Type II adversary, we will have \(\tau ^\star \in \{\tau _1,\ldots ,\tau _q\}\) at the end of the game. We also assume w.l.o.g. that exactly \(n-1\) signing queries are made for each tag \(\tau \in \{\tau _1,\ldots ,\tau _q\}\) during the game (otherwise, \(\mathcal {B}\) can simulate signing queries for itself). During its interaction with \(\mathcal {A}\), the reduction \(\mathcal {B}\) answers \({\mathsf {Sign}}, \mathsf {SignDerive}\) and \(\mathsf {Reveal}\) queries as follows.

The signature \(\sigma =(z,r,u,v)\) is not directly sent to \(\mathcal {A}\) but assigned to a new handle \(\mathsf {h}\) and stored in an entry \((\mathsf {h},(\tau _{j},\vec {M}),\sigma )\) of the table \(T\).

the only information that \(\mathcal {B}\) reveals about \((\chi _1,\ldots ,\chi _n)\) is contained in the \(z\)-components of signatures involving \(\tau ^\star \) if \(\mathcal {A}\) is a Type II adversary. Indeed, for each signing query \((\tau ,\vec {M})\) such that \(\tau \ne \tau ^\star , \mathcal {B}\) introduces in the signature a fresh random exponent \(\theta \in _R \mathbb {Z}_p\) that does not appear anywhere else. This allows \(\mathcal {B}\) not to leak anything about \((\chi _1,\ldots ,\chi _n)\) during these queries.

More precisely, let us first consider what an unbounded Type II adversary \(\mathcal {A}\) can see. Throughout the game, \(\mathcal {A}\) makes \(n(q-1)+(n-1)\) signing queries since at most \(n-1\) independent queries are allowed for the tag \(\tau ^\star \). Let us index these queries as \(\{\big (\tau _j,\vec {M}_k=(M_{k,1},\ldots ,M_{k,n}) \big )\}_{j,k}\), with \(j \in \{1,\ldots ,q\}\), and let \(\{(z_{j,k},r_{j,k},u_{j,k},v_{j,k})\}_{j,k}\) denote the answers in which \(\mathcal {B}\) introduces \(n(q-1)\) variables \(\{ \theta _{j,k} \}_{j \ne j^\star ,k \in \{1,\ldots ,n\}}\) in the exponent. Together with private key elements \(\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\), we have a total of \(3n+n(q-1)=2n+nq\) unknowns. Each signature \( (z_{j,k},r_{j,k},u_{j,k},v_{j,k}) \) provides \(\mathcal {A}\) with at most one new linearly independent equation—recall that \((z_{j,k},v_{j,k})\) uniquely determines \(r_{j,k},u_{j,k}\) while \( v_{j,k}\) does not depend on \(\theta _{j,k}\) or \(\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\)—in addition to the \(2n\) linear equations resulting from the public key elements \(\{(g_i,h_i)\}_{i=1}^n\).

Proof

Let \(\mathcal {A}\) be a Type I forger with non-negligible advantage \(\varepsilon \). We show that it implies an algorithm \(\mathcal {B}\) solving a SDP instance \((g_z,g_r,h_z,h )\) with probability at least \(\varepsilon /(8 q (L+1))\).

Algorithm \(\mathcal {B}\) begins by choosing \((w_0,w_1,\ldots ,w_L) \in \mathbb {G}^{L+1}\) as in the security proof of Waters signatures [67]. This is done in such a way that, for any \(\tau \in \{0,1\}^L\), the hash value \(H_{\mathbb {G}}(\tau )\) can be written \(H_{\mathbb {G}}(\tau )=g_r^{J(\tau )} \cdot h^{K(\tau )}\) for the same functions \(J,K:\{0,1\}^L \rightarrow \mathbb {Z}_p\) as in the proof of Lemma 1. For any distinct \(\tau ,\tau _1,\ldots ,\tau _q\), we will thus have \(J(\tau )=0 \mod p\) and \(J(\tau _i) \ne 0 \mod p\) for each \(i \in \{1,\ldots ,q\}\) with non-negligible probability \(\zeta =1/(8 \cdot q \cdot (L+1))\).

The signature \(\sigma =(z,r,u,v)\) is not directly returned to \(\mathcal {A}\) but associated with a new handle \(\mathsf {h}\) and stored in an entry \((\mathsf {h},(\tau _{j},\vec {M}),\sigma )\) of the table \(T\).

necessarily gives a non-trivial solution to the SDP instance with overwhelming probability.

Indeed, the same arguments as in the proof of Lemma 1 show that we can only have \(z^\ddagger = 1_{\mathbb {G}}\) with probability \(1/p\). The reason is that, in each signing query, \(\mathcal {B}\) introduces a new blinding exponent \(\theta \) that does not appear anywhere else. For this reason, \(\mathcal {B}\) never leaks any information about \((\chi _1,\ldots ,\chi _n)\) at any time and the element \(z^\dagger \) is thus completely undetermined in \(\mathcal {A}\)’s view.\(\square \)

Appendix 2: A fully randomizable linearly homomorphic SPS

In certain situations, one may want derived signatures to have the same distribution as original signatures on the same messages.

Appendix 2.1: Privacy definition

Ahn et al. [8] formalized a strong privacy property requiring that derived signatures be statistically indistinguishable from original ones, even when these are given.

In [12], Attrapadung et al. extended the definition of [8]—which only considers honestly generated signatures—to any original signature satisfying the verification algorithm.

In [8] Ahn et al. showed that, if a scheme is strongly context hiding, then Definition 1 can be simplified by removing the \(\mathsf {SignDerive}\) and \(\mathsf {Reveal}\) oracles and only providing the adversary with an ordinary signing oracle.

Appendix 2.2: A completely context-hiding construction

We show that our scheme of Sect. 3.2 can be modified so as to become strongly context-hiding in the sense of [8]. Namely, signatures produced by the \(\mathsf {SignDerive}\) algorithm should be statistically indistinguishable from signatures freshly generated by \({\mathsf {Sign}}\), even when the original signatures are given.

The difficulty is that, in the scheme of Sect. 3.2, we cannot re-randomize the underlying \(\theta \) without knowing \(h_z^{\alpha _r}\). To address this problem, it is tempting to include in each signature a randomization component of the form \((h_z^{\alpha _r} \cdot H_{\mathbb {G}}(\tau )^{-\zeta },h^{\zeta })\), for some \(\zeta \in \mathbb {Z}_p\), which can be seen as a signature on the vector \((1_{\mathbb {G}},\ldots ,1_{\mathbb {G}})\). Unfortunately, the security proof ceases to go through as the reduction finds itself unable to generate a well-formed pair \((h_z^{\alpha _r} \cdot H_{\mathbb {G}}(\tau )^{-\zeta },h^{\zeta })\) at some step of its interaction with the adversary. Our solution actually consists in committing to the signature components that cannot be re-randomized and provide evidence that committed group elements satisfy the verification equations. This is achieved using Groth–Sahai non-interactive arguments on a perfectly witness indistinguishable Groth–Sahai CRS, as in the linearly homomorphic construction of Attrapadung et al. [13]. A slight difference with [13], however, is that signature components \((H_{\mathbb {G}}(\tau )^{-\rho },h^{-\rho })\) are no longer used and replaced by the technique of Malkin et al. [62], which yields slightly shorter signatures.

Keygen\({\varvec{(\lambda ,n)}}\) given a security parameter \(\lambda \) and the dimension \(n \in {\mathbb {N}}\) of the subspace to be signed, choose bilinear group \((\mathbb {G},\mathbb {G}_T)\) of order \(p >2^{\lambda }\). Then, do the following.

We believe this construction to be of interest even if we disregard its structure-preserving property. Indeed, if we compare it with the only known completely context-hiding linearly homomorphic signature in the standard model [13], its signatures are shorter by one group element. Moreover, we can prove the security under the sole DLIN assumption whereas the scheme of [13] requires an additional assumption.

The scheme is clearly completely context hiding because signatures only consist of perfectly randomizable commitments and NIWI arguments.

As for the unforgeability of the scheme, the proof of the following theorem is along the lines of [62], Theorem 5]. However, we can only prove unforgeability in a weaker sense as we need to assume that the adversary is targeting. Namely, in the case of Type II attacks, the adversary must also output a proof that it actually broke the security of the scheme and that its vector \(\vec {M}^\star =(M_1^\star ,\ldots ,M_n^\star ) \in \mathbb {G}^n\) is indeed independent of the vectors for which it obtained signatures for the target tag \(\tau ^\star \).

Theorem 4

Proof

Since the scheme is completely context-hiding, we work with a simpler security definition where the adversary only interacts with a signing oracle. This suffices to guarantee security in the sense of Definition 2, as implied by the result of Ahn et al. [8]. The proof proceeds via a sequence of games. In each game, we denote by \(X_i\) the probability that the adversary \(\mathcal {A}\) wins.

\({\mathsf{Game }}_{ real }:\) This is the real game. When the adversary \(\mathcal {A}\) terminates, the simulator outputs \(1\) if \(\mathcal {A}\) is successful. We thus have \(\Pr [X_{ real }]={\mathbf {Adv}}(\mathcal {A})\).

\({\mathsf{Game }}_{0}:\) This game is identical to \({\mathsf{Game }}_{ real }\) but we modify the generation of the public key. Namely, the vectors \((\vec {f_1},\vec {f_2},\{ \vec {f}_{3,i} \}_{i=0}^L )\) are chosen by setting \(\vec {f}_1=(f_1,1_{\mathbb {G}},g)\) and \(\vec {f}_2=(1_{\mathbb {G}},f_2,g)\), with \(f_1,f_2 \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\). As for \(\{ \vec {f}_{3,i} \}_{i=0}^L\), they are obtained as

\({\mathsf{Game }}_{1}:\) In this game, we first raise an event \(F_1\), which causes the simulator \(\mathcal {B}\) to abort if it does not occur. Let \(\tau _1,\ldots ,\tau _q\) be the distinct tags successively involved in \(\mathcal {A}\)’s queries throughout the game and let \(\tau ^\star \) be the tag involved in \(\mathcal {A}\)’s forgery. We know that, for a Type II forger, \(\tau ^\star \in \{\tau _1,\ldots ,\tau _q\}\) whereas \(\tau ^\star \not \in \{\tau _1,\ldots ,\tau _q\}\) for a Type I adversary. For each string \(\tau \in \{0,1\}^L\), we consider the function \(J(\tau )= \mu \cdot \zeta - \rho _0 - \sum _{i=1}^L \rho _i \tau [i]\). We also define \(F_1\) to be the event that

We note that the exponents \(\rho _0,\rho _1,\ldots ,\rho _L\) are independent of \(\mathcal {A}\)’s view: as a consequence, the simulator could equivalently define \( \{ \vec {f}_{3,i} \}_{i=0}^L\) first and only choose \(\{\rho _i\}_{i=0}^L\) – together with values \(\{\xi _{3,i}\}_{i=0}^L\) explaining the \(\{\vec {f}_{3,i}\}_{i=0}^L\)—at the end of the game, when \(\tau ^\star ,\tau _1,\ldots ,\tau _q\) have been defined. In the case of a Type I attack, the same analysis as [67] (after the simplification of Bellare and Ristenpart [14]) shows that \(\Pr [X_1 \wedge F_1] \ge {\mathbf {Adv}}(\mathcal {A})^2/(27 \cdot q \cdot (L+1))\).

This follows from the fact that, for any set of queries, a lower bound on the probability of event \(F_1\) is \( 1/(2q(L+1))\). In the case of Type II attacks, a lower bound on the probability of \(F_1\) for any set of queries is given by \( \eta \ge 1/(2 (q-1)(L+1))>1/(2q (L+1))\). Indeed, after re-ordering, the set of queried tags can be written \(\{\tau ^\star ,\tau _1,\ldots ,\tau _{q-1}\}\) and, from the known results [52, 67] on the programmability of Waters’ hash function, we know that the probability, taken over the choice of \((\mu , \rho _0,\ldots ,\rho _L)\), to have \(J(\tau ^\star )=0\) and \(\wedge _{j=1}^{q-1} J(\tau _j)\ne 0\) for any distinct \(\tau ^\star ,\tau _1,\ldots ,\tau _q\) is at least \( 1/(2(q-1)(L+1))>1/(2q(L+1)). \) In the following, we denote by \(F_i\) the counterpart of event \(F_1\) in \({\mathsf{Game }}_i\).

\({\mathsf{Game }}_{2}:\) In this game, we modify the distribution of the public key. Namely, \(\vec {f_1}=(f_1,1,g)\) and \(\vec {f_2}=(1,f_2,g)\) are chosen as before but, instead of generating the vectors \(\{\vec {f}_{3,i}\}_{i=0}^L\) as previously, we choose them as

If \(Z \in _R \mathbb {G}, \{\vec {f}_{3,i}\}_{i=0}^L\) is distributed as in \({\mathsf{Game }}_1\). If \(Z=g^{\delta _1+\delta _2}\), the distribution of \(\{\vec {f}_{3,i}\}_{i=0}^L\) is the same as in (12). For this reason, we can write \(|\Pr [X_2 \wedge F_2]-\Pr [X_1 \wedge F_1]|\le {\mathbf {Adv}}^{\mathrm{DLIN}}(\mathcal {A})\) as we assumed that the challenger \(\mathcal {B}\) can always detect when a targeting adversary is successful.

\({\mathsf{Game }}_{3}:\) In this game, we modify the treatment of signing queries. We note that, for a given message \((\tau ,\vec {M}=(M_1,\ldots ,M_n))\), there is an exponential number of witnesses \((z,r,u) \in \mathbb {G}^3\) satisfying the verification equations

Specifically, each \(z \in _R \mathbb {G}\) determines a unique pair \((r,u)\) for which (13) holds. However, in \({\mathsf{Game }}_3\), the simulator \(\mathcal {B}\) answers all signing queries using the witness \((z,r,u)\) such that

We argue that this change does not affect \(\mathcal {A}\)’s view whatsoever. Indeed, if event \(F_3\) occurs we have \(J(\tau ^\star )=0\) and \(J(\tau _j)\ne 0\) for each \(\tau _j \ne \tau ^\star \). Moreover, when \(J(\tau _j)\), the Groth–Sahai CRS \((\vec {f}_1,\vec {f}_2,\vec {f}_{\tau _j})\) is a perfectly hiding Groth–Sahai CRS. This means that \(\vec {C}_z, \vec {C}_r, \vec {C}_u\) are perfectly hiding commitments and proofs \((\vec {\pi }_1,\vec {\pi }_2)\) are perfectly witness indistinguishable proofs. In other words, although the proofs \((\vec {\pi }_1,\vec {\pi }_2)\) are always generated using the witnesses \((z,r,u)\) for which \(\theta =0\), their distribution does not depend on which specific witness is used.

In contrast, in the case of Type II attacks, signing queries involving \(\tau ^\star , (\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi _2})\) reveal the underlying \((z,r,u)\) in the information theoretic sense since \((\vec {f}_1,\vec {f}_2,\vec {f}_{\tau ^\star })\) is a perfectly binding CRS when \(J(\tau ^\star )=0\). However, at most \(n-1\) signing queries on linearly independent vectors \(\vec {M}_j\) are made for the tag \(\tau ^\star \), so that \(\mathcal {A}\) only obtains \(n-1\) linearly independent equations in the exponent. As a consequence, \(\mathcal {A}\) does not obtain a sufficient amount of information to recognize that \(\theta =0\) in the underlying signatures. For this reason, we find that \(\Pr [X_3 \wedge F_3]=\Pr [X_2 \wedge F_2]\).

In \(\mathsf{Game }_3\), we show that a successful forger \(\mathcal {A}\) implies an algorithm \(\mathcal {B}\) solving a given SDP instance \((g_z,g_r,h_z,h)\) with non-negligible advantage, which contradicts the DLIN assumption.

The binding property demands that, given \(pk\), no PPT adversary should be able to produce a commitment that can be opened to two distinct messages. More precisely, for any PPT adversary \(\mathcal {A}\), the following advantage function should be negligible as a function of \(\lambda \).

A commitment is also said hiding if commitment to distinct messages have computationally indistinguishable distributions. Formally, for any PPT adversary \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\), the following advantage term is negligible as a function of \(\lambda \).

A trapdoor commitment is a perfectly hiding commitment for which a trapdoor \(tk\) makes it possible to break the binding property and open a commitment to any arbitrary value. However, this should remain infeasible without the trapdoor. More formally, a trapdoor commitment uses two additional algorithms \((\mathsf {FakeCom},\mathsf {FakeOpen})\) that proceed as follows.

Definition 7

A trapdoor commitment is a tuple \((\mathsf {Setup},\mathsf {Com},\mathsf {FakeCom},\mathsf {FakeOpen}, {\mathsf {Verify}})\) of efficient algorithms where \(\mathsf {Com}\) and \(\mathsf {Verify}\) proceed as in an ordinary commitment and other algorithms proceed as follows.

Setup is a randomized algorithm that takes as input a security parameter \(\lambda \). It produces a public key \(pk\) and a trapdoor \(tk\).

FakeCom is a randomized algorithm that takes as input a public key \( {pk}\) and the trapdoor \(tk\). It outputs a fake commitment string \(\widetilde{\mathsf {com}}\) and some auxiliary information \(\mathsf {aux}\).

FakeOpen takes as input a fake commitment produced by \(\mathsf {FakeCom}\) and the corresponding auxiliary information \(\mathsf {aux}\). It also takes as input a message \(\mathsf {Msg}\) and the trapdoor \(tk\) and outputs a fake de-commitment \(\widetilde{\mathsf {dec}}\) such that \(\mathsf {Verify}(pk,\mathsf {Msg},\widetilde{\mathsf {com}},\widetilde{\mathsf {dec}})=1\). Moreover, the two distributions

A trapdoor commitment is independent if it provides \(\ell \)-independence for any arbitrary \(\ell \in {\mathsf {poly}}(\lambda )\).

It is known (see, e.g., [61]) that, when a SSTC scheme and a secure one-time signature are combined to build an ordinary commitment scheme, the simulation-sound binding property and the security of the one-time signature imply the notion of independence.

Proof

We first observe that the commitment satisfies the trapdoor property if the homomorphic SPS is regular. Indeed, in the distribution \(D_{ fake }\), the commitment \(\widetilde{\mathsf {com}}\) is obtained as

In other words, the joint distribution of \((\widetilde{\mathsf {com}},\widetilde{\mathsf {dec}})\) is the same as if it were obtained by choosing \((\tilde{Z}_1 ,\ldots ,\tilde{Z}_{n_z} ,\tilde{V}_1,\ldots ,\tilde{V}_{n_v} ) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}^{n_v+n_z}\) and computing \(\{c_j\}_{j=1}^m\) as per (17).

We now turn to the simulation-sound binding property and show that, if there exists a PPT adversary \(\mathcal {A}\) that breaks this property with non-negligible advantage \(\varepsilon \), there exits a non-independent Type I forger \(\mathcal {B}\) against the signature scheme.

Eventually, the adversary \(\mathcal {A}\) outputs a commitment of its own \(\mathsf {com}^\star = (c_1^\star ,\ldots ,c_m^\star )\) along with valid openings \(\mathsf {dec}=(Z_1 ,\ldots ,Z_{n_z} ,V_1 ,\ldots ,V_{n_v} ), \mathsf {dec}'=(Z_1',\ldots ,Z_{n_z}',V_1',\ldots ,V_{n_v}')\) to distinct vectors \((M_1,\ldots ,M_n) \ne (M_1',\ldots ,M_n')\) for some tag \(tag^\star \) that has never been used in any query to \({\mathcal {O}}_{tk,sk}\). Since both openings successfully pass the verification test, we find that

forms a valid homomorphic signature on the vector \((M_1/M_1',\ldots ,M_n/M_n') \ne (1_{\mathbb {G}},\ldots ,1_{\mathbb {G}})\) for the identifier \(\tau ^\star =tag^\star \). By construction, \(\tau ^\star \) was never the input of a signing query made by \(\mathcal {B}\) to its own oracle. Consequently, \(\mathcal {B}\) is indeed a Type I non-independent forger with advantage \(\varepsilon \).\(\square \)

Appendix 5: Non-interactive simulation-sound trapdoor commitments from linearly homomorphic signatures in groups of public order

MacKenzie and Yang [61] showed that simulation-sound trapdoor commitments imply digital signatures. In the converse direction, constructions of SSTCs are only known for signature schemes admitting efficient \(\Sigma \) protocols. In fact, as noted by Fujisaki [40], all known constructions of non-interactive simulation-sound or multi-trapdoor [42] commitments build on signature schemes for which an efficient \(\Sigma \) protocol allows proving knowledge of a signature.

The idea is to commit to a message \(m\) by using \(m\) as the challenge of a \(\Sigma \) protocol for proving knowledge of a signature \(\sigma =\mathsf {Sig}(sk,tag)\) on the tag. The commitment is given by the first message \(a\) of the \(\Sigma \) protocol transcript \((a,m,z)\), which is obtained by simulating a proof of knowledge of a valid signature \(\sigma \) on the message \(tag\). The commitment is subsequently opened by revealing \(z\). By the special soundness of the \(\Sigma \) protocol, unless the sender actually knows a valid signature on \(tag\), it can only open a given commitment \(a\) to one message \(m\).

While simple, the above construction (which extends to give identity-based trapdoor commitments, as noted in [25]) does not readily extend to commit to vectors. Fujisaki [40] gave an alternative construction based on encryption schemes. However, this construction is interactive. Groth and Ostrovsky [49] finally defined the notion of simulation-extractable commitments by additionally requiring adversarially-generated commitments to be extractable instead of simply binding. A consequence of this strengthened property is that, just like UC commitments [24], simulation-extractable commitments cannot be length-reducing any longer.

This section shows that ordinary (i.e., non-structure-preserving) linearly homomorphic signatures also make it possible to construct non-interactive simulation-sound (and thus non-malleable) commitments if they satisfy a certain template. Moreover, they make it possible to commit to vectors while preserving the ability of efficiently proving properties about committed vectors. We notably obtain efficient constructions based on the Diffie–Hellman and strong Diffie–Hellman [15] assumptions.

Appendix 5.1: Definition and template

We first consider a definition of unforgeability which is obtained by simplifying Definition 2 and removing the \(\mathsf {SignDerive}\) and \(\mathsf {Reveal}\) oracles. As we will see, this simplified definition will be sufficient for the construction of simulation-sound trapdoor commitments. On the other hand, unlike the definition used in [17, 18, 19], Definition 9 allows the adversary to choose the file identifiers in his signing queries.

Definition 9

A linearly homomorphic signature scheme \(\Sigma =(\mathsf {Keygen},{\mathsf {Sign}},\mathsf {SignDerive},{\mathsf {Verify}})\) is secure if no probabilistic polynomial time (PPT) adversary has non-negligible advantage (as a function of the security parameter \(\lambda \in {\mathbb {N}}\)) in the following game:

Note that, in some cases, it may be sufficient to use a non-adaptive definition of unforgeability where the adversary has to declare all the file identifier \(\tau _1,\ldots ,\tau _q\) involved in signing queries at the very beginning of the attack (before seeing the public key \(\mathsf {pk}\)).

Again, we say that the adversary is independent if

For any given tag \(\tau \), it is restricted to only query signatures on linearly independent vectors.

Each pair \(({\tau },\vec {m})\) is queried at most once.

Let \(\varPi =(\mathsf {Keygen},{\mathsf {Sign}},\mathsf {SignDerive},{\mathsf {Verify}})\) be a linearly homomorphic signature over \(\mathbb {Z}_p^n\), for some large prime \(p>2^{\lambda }\). We assume that \(\varPi \) uses groups \(\mathbb {G}_1\) and \(\mathbb {G}_2 \) of public orders \(p^k\) and \(p\), respectively, for some \(k\in {\mathbb {N}}\). We also assume that each signature \(\sigma \) lives in \( \mathbb {G}_1 \). The verification algorithm takes as input a purported signature \(\sigma \in \mathbb {G}_1\), a file identifier \(\tau \) and a vector \(\vec {m}\). It returns \(1\) if and only if

where \(F \) is a function ranging over the group \(\mathbb {G}_2\) and satisfying certain linearity properties. Namely, for each \(\mathsf {pk}\) produced by \(\mathsf {Keygen}\) and each \(\tau \), we require that

We remark that the above template only captures schemes in groups of public order, so that constructions based on the Strong RSA assumption [26, 27] or on lattices [17, 18] are not covered. The reason is that, when working over the integers, messages and signature components may increase at each homomorphic operation. This makes it harder to render trapdoor openings indistinguishable from original de-commitments.

For completeness, we prove the following result in a similar way to the proof of Theorem 3.

Theorem 5

The above construction is a secure SSTC assuming that \(\varPi \) is both regular and unforgeable against non-independent Type I attacks.

Proof

The proof is very similar to the proof of Theorem 3. We first show that the commitment is a trapdoor commitment if \(\varPi \) is a regular homomorphic signature. Indeed, in the distribution \(D_{ fake }\), the commitment is obtained as

such that \(\widetilde{\mathsf {com}}=F (\tilde{\sigma } ,\vec {m} , \mathsf {pk},tag )\), so that \(\widetilde{\mathsf {com}}\) can be explained as a commitment to \(\vec {m}\). Moreover, since \(\hat{\sigma }\) was chosen uniformly in \(\mathbb {G}_1\), the obtained de-commitment \(\tilde{\sigma }\) is uniform among values such that

To establish the simulation-sound binding property, we show that, if there exists a PPT adversary \(\mathcal {A}\) that breaks this property with advantage \(\varepsilon \), the homomorphic signature scheme \(\varPi \) can be broken by a non-independent Type I forger \(\mathcal {B}\) with the same advantage \(\varepsilon \).

Appendix 5.3: Instantiations

Construction from the Diffie–Hellman assumption Previously, non-malleable commitments based on the CDH assumption were—implicitly or explicitly—described in [35, 64] but it is not immediate how to extend them to commit to vectors in a modular way.

In [12], Attrapadung et al. described a linearly homomorphic signature which is notably secure against Type I independent adversaries—as implicitly proved by [12], Lemma 8]—under the computational Diffie–Hellman (CDH) assumption.

This scheme can be seen as a specific instantiation of the template where the group \(\mathbb {G}_1\) is a product \(\mathbb {G}_1=\mathbb {G}^2 \times \mathbb {Z}_p\), which is a group for the operation \((\cdot ,\cdot , +)\), and \(\mathbb {G}_2=\mathbb {G}_T\). Here, \(\mathbb {G}_1\) and \(\mathbb {G}_2\) thus have order \(p^3\) and \(p\), respectively. As for the linear function \(F\), it can be instantiated as

As a result, we obtain a new non-interactive simulation-sound trapdoor commitment to vectors under the CDH assumption. We note that the scheme can be optimized by removing the terms \(v^s\) and \(s\), so as to have \((\sigma _1,\sigma _2)=\big ((\prod _{i=1}^n g_i^{m_i})^{\alpha } \cdot H_{\mathbb {G}}(\tau )^r ,g^r \big )\) and

Indeed, in the proof of [12], Lemma 8], we observe that, if the signature scheme only needs to be secure against Type I attacks, the terms \((v^s,s) \in \mathbb {G}\times \mathbb {Z}_p\) can be eliminated.

Unlike the CDH-based construction of [40], the above commitment scheme is non-interactive and allows committing to vectors with a constant-size commitment string. Unlike the solution consisting in committing to a short string obtained by hashing the vector, our solution makes it possible for the sender to prove properties (using \(\Sigma \) protocols or Groth–Sahai proofs) about committed vectors in an efficient way.

We also remark that, for vectors of dimension \(n=1\), we obtain a simplification of existing multi-trapdoor (or identity-based) trapdoor commitments [35, 64] based on the Waters signature: instead of starting from a \(\Sigma \) protocol for proving knowledge of a Waters signature, we obtain a more efficient scheme by building the commitment algorithm on the verification equation of the underlying signature: recall that the verification equation of Waters signatures \((\sigma _1,\sigma _2)\) returns \(1\) if and only if it holds that \(e(\sigma _1,g)=e(g^{\alpha },h ) \cdot e(H_{\mathbb {G}}(M),\sigma _2)\), where \(M \in \{0,1\}^L\) is the message and \( g^{\alpha },h \) are part of the public key. Now, to commit to a message \(m \in \mathbb {Z}_p\) the sender can pick random \(\theta _1,\theta _2 \in \mathbb {G}\) and compute \(\mathsf {com}=e(g^{\alpha },h)^m \cdot e(g,\theta _1) \cdot e(H_{\mathbb {G}}(\tau ),\theta _2) \in \mathbb {G}_T\) and \(\mathsf {dec}=(\theta _1,\theta _2)\). It is easy to see that a signature \((\sigma _1,\sigma _2)\) on \(\tau \) allows trapdoor opening \(\mathsf {com}\). Moreover, the resulting scheme gives shorter commitment string and a faster verification algorithm than in [25, 64].

Construction from the strong Diffie–Hellman assumption As mentioned earlier, in the application to non-malleable commitments, simulation-sound trapdoor commitments only need to be secure against adversaries that choose beforehand (before receiving the public key) on which tags they will see equivocations of commitments produced by \(\mathsf {FakeCom}\). In this case, we only need the underlying linearly homomorphic signature to be secure against non-adaptive Type I independent adversaries. The construction of Catalano et al. [27] is an example of such system. In [27], it was implicitly6 proved that the scheme is secure against non-adaptive (independent) Type I adversaries under the strong Diffie–Hellman assumption [15].

This construction can also be seen as a special case of our template where \(\mathbb {G}_1= \mathbb {G}\times \mathbb {Z}_p\) is a group for the operation \((\cdot ,+)\) and \(\mathbb {G}_2=\mathbb {G}_T\) is a multiplicative group. Here, we thus have \(|\mathbb {G}_1|=p^2\) and \(|\mathbb {G}_2|=p\). The linear function \(F\) is now defined as

The linearly homomorphic signature of [27] thus implies a non-interactive non-adaptive simulation-sound trapdoor commitment to vectors based on the strong Diffie–Hellman assumption. Again, the scheme can be simplified by removing the term \(v^s\) since the underlying signature only needs to be secure against non-adaptive Type I attacks. In the case \(n=1\), the resulting non-malleable commitment is a variant of the one of [42], Sect. 4.2].